CYBERSHEATH BLOG

In the years before business leaders truly understood cyber risk, requested budgets for cyber security departments were often approved without thoughtful consideration or review. There was a day when CISO’s could basically say to a CIO, “I can’t tell you how much safer this will make us, and I can’t say we absolutely won’t have a data breach, but I need 3.5 million dollars.” Most of those inflated numbers were driven by the desire to buy the latest security tools that vendors promised would solve all security problems. The funds were to be spent, generally, on products and the staff to support them.

CISO’s can no longer expect to have large annual budgets approved without tangible, quantified data to back up the necessity. The days have passed when budgets were built on fear, uncertainty, and doubt (FUD), empire building, or opportunities to buy the trending tools. Security funding needs to produce measurable results, or at a minimum, be supported by credible metrics that validate the business needs.

One of the most over-used phrases in security organizations today is “enabling the business.” It looks great on mission statements and sounds good in meetings, but what does it really mean? Common answers usually center on “protecting information” and “responding to incidents.” But are the defensive actions of a security organization truly assisting the company with growth and productivity? How can security actually help the organization accomplish more work and subsequently add revenue?

Security assessments can be of transformational value for your organization or they can be shelfware, the determining factor on what you end up with is a matter of leadership and strategy. Here just one example of how an assessment can be transformational.

Siobhan Gorman of the Wall Street Journal wrote yesterday that “Fortune 500 companies in a range of industries back a system of voluntary cybersecurity standards”. The topic of cybersecurity standards being voluntary or mandatory often sparks lively debate, but unfortunately it’s the wrong discussion.

…that’s my advice for managers and CISO’s who find themselves on the hamster wheel of incident response and day to day operations. It’s easy to get locked into a permanent schedule of daily meetings punctuated by operational crisis and mistakenly believe that security is different from anything else in your business and can’t be managed. Of course it can, but like anything worth doing (dieting and exercise come to mind), it’s hard and results take time to materialize. To do it you have to lead so that you can manage.